Ask Me No Questions

Twitter exposed passwords internally, storing them in a log file.  The downside is that it’s the latest example companies aren’t careful.  The upside is that there is a regular drumbeat surrounding secure online accounts, which is a good thing.  We’re thinking about better passwords, maybe using two factor authentication.  The only thing I’d throw on the fire is the use of security questions.

This occurred to me recently.  I created a new account and, as part of the process, it asked me a list of questions to answer.  It has been ages since this happened, with most sites I use moving to multi-factor authentication rather than rely on security questions.

Google did the research, but asking people to provide information (dog names, mother’s maiden names, elementary school) to enable password recovery is risky behavior.  The best case is that the company keeps the information protected – the worst, as with Yahoo!, is they lose control of what is likely to be a unique piece of information.

As with the Facebook fiasco, it’s not a matter of whether or not you’ve shared an answer online.  What matters is whether you or someone to whom you’re connected has explicitly or implicitly shared the information.

From the Google research paper “Secrets, Lies, and Account Recovery

One aspect that the paper touched on was how we are untruthful in answering these questions.  Perhaps because we know that information should be private, we give false answers.  The research found that some cultures tended towards the same false answers, making the questions less secure.

The questions are getting more and more peculiar over time.  This last account had questions that I didn’t remember the answers to, even if I’d wanted to be truthful.

Security Questions Aren’t Secure

And the questions aren’t hard to find.  For a while after the Yahoo! hack, you could find their questions.  Here’s a list from a blog – I’ve marked all the ones I’ve been asked somewhere in bold:

  • What is the first and last name of your first boyfriend or girlfriend?
  • Which phone number do you remember most from your childhood?
  • What was your favorite place to visit as a child?
  • Who is your favorite actor, musician, or artist?
  • What is the name of your favorite pet?
  • In what city were you born?
  • What high school did you attend?
  • What is the name of your first school?
  • What is your favorite movie?
  • What is your mother’s maiden name?
  • What street did you grow up on?
  • What was the make of your first car?
  • When is your anniversary?
  • What is your favorite color?
  • What is your father’s middle name?
  • What is the name of your first grade teacher?
  • What was your high school mascot?
  • Which is your favorite web browser?

and another from a paper on the feminist history of security questions:

  • What is your favorite children’s book
  • What is your dream job
  •  What was your childhood nickname
  • What was the model of your first car
  • Who was your favorite singer or band in high school
  • Who was your favorite film star or character in school
  • What was the first name of your first boss
  • In what city did your parents meet
  • What was the first car you owned
  • What was the name of your first pet
  • What is the first name of your best friend in high school
  • What was the first film you saw in the theater
  • What was the first thing you learned to cook
  • What is the last name of your favorite elementary school teacher
  • Where did you go the first time you flew on a plane
  • Who was your favorite teacher
  • What is the name of the street where you grew up
  • What is the name of the first beach you visited
  • What was the first album you purchased
  • In which city did your mother and father meet
  • What is the name of your favorite sports team

I’m always struck by how the questions assume you lived in 1950s Bayport or on the set of Leave it to Beaver.  Also, what kind of monster has a favorite pet? By the time you get to the funniest security questions, it starts to beg the question why anyone would use these things?

I don’t want my security to be zany – I want it to be secure.

As you read through those questions, ask yourself how many of them someone other than you could answer.  And then consider how many of them someone could infer from your pet pictures, from your social media accounts, conference bios, old newspaper articles that have been digitized since your childhood.

Answers Are Easy to Find

Not to change subjects, but I was following the Golden Gate Killer story recently and how they were able to upload DNA, then use inferences to go through a family tree towards a possible suspect.  It’s the same approach I’d use, with the same immutable information, to find out about a person whose name I knew.

For example, if I was the target, it wouldn’t be hard to find out I graduated from the University of Arkansas-Little Rock with a  law degree in 1996.  That means that, more likely than not:

  • I lived in Little Rock, Arkansas
  • unless I was a mature student, most lawyers in the US graduate in their mid-late twenties, so I was probably born in the late 60s or very early 70s and am about 50.

Let’s go to our friendly online person search tool – Spokeo – and search for David Whelan “Little Rock”.  People outside of the US are not subject to this sort of search, but it doesn’t mean that information isn’t available.  I have found my kids’ friends’ social media accounts and home addresses in ways that astonish them. And, frankly, serve the creepy lesson intended.

There are only two of us in the search result, and you can find out names of possible family members, as well as the cities I lived in before I went into Witness Protection in Canada.  It’s accurate to a point, although it has some large omissions.  But most of those you could find out on my LinkedIn profile, if I had one.

My Spokeo results show possible family members and previous homes.

Once someone has family members, it’s a matter of running their information through searches like Spokeo, Intelius, or Ancestry, or just finding social media profiles by searching on their handle.  You’re probably following or followed/friended by family.  They may have mentioned pets, schools, cars, even if you haven’t.  Particularly if they share more than you.

Even just a Google search with “[name] [lived in location]” will retrieve more details related to early schooling, etc.  The questions might have been somewhat obscure for people my age, but for the generation who have spent their entire life being Instrgrammed and Facebooked by their parents, this stuff is easy to find.

Use Passwords as Answers

I’m pretty fed up with the inability of online services to protect my private information.  As with most things dealing with security and technology, there is a risk balancing to use.  If the service you’re using requires security answers for account recovery, you should give them answers.  You don’t want to risk your ability to recover your account.

But there’s no need to give them either real answers or false ones.  If you use a password manager, and you should, you can just create passwords to answer each question.  Because you’re using the password manager to generate them, they should be strong and hard to guess.

Here’s how I am doing it with the open source password manager KeePass.  The video shows KeePass and a text editor, Notepad.  The text editor has the list of questions.  I’m using KeePass’ password generator and its preview password function to copy and paste a number of passwords from KeePass to Notepad.  Don’t click ok at the preview, or you’ll overwrite the password you’ve stored in the Password location.

As you answer each question on the online site, you can give it a password rather than a real or false piece of information.  The preview function allows you to create a whack of passwords all at one.  Or you could use a site like Wolfram Alpha’s password generator web app.

Next time you need to access the account or use account recovery, you have a list of the questions with the associated answers.

One of the problems I have with security questions is the same one I have with biometrics.  Some things about you – physical things, like fingerprints or face or eyes, as well as information like family and where you’ve lived – are things that you can’t change.

So far, there isn’t anyone who I really trust to keep these sorts of secrets for me.  Online companies are not prioritizing it, and governments are only just moving out of the shadow of security-through-obscurity and may not be any better.  Those 5 million fingerprints lost by a US government department aren’t going to change.  I’d rather give these services multiple, hard-to-guess character strings that, if they are lost, are easier to replace than my family.